Apart from appropriating a weighty increase in federal IT security spending in the coming year, the single most important step lawmakers can take to make the Internet safer is carve out a Freedom of Information Act exemption for enterprises that share information with the government, the White House cybersecurity chief said today.
Richard Clarke, special advisor to the President for Cyberspace Security, told congressional staffers that current FOIA rules constitute a major barrier to cooperation between the private sector and government. Fearful that sensitive network information could be made public, companies are reluctant to share information about Internet attacks and other security issues, he said.
"The biggest thing Congress could do this session in terms of cybersecurity is to pass a very, very narrowly crafted amendment to the Freedom of Information Act," Clarke said at The Forum on Technology & Innovation chaired by Sens. Jay Rockefeller, D-W.V., and Bill Frist, R-Tenn. Clarke added that the measures proponents have been advocating it for several years.
This spring, Clarkes office will unveil a national cybersecurity strategy draft and conduct public meetings to discuss it, he said.
Others in the industry see a need for new information security policies apart from private sector/public sector information-sharing. Bruce Schneier, founder and CTO of Counterpane Internet Security Inc., said the industry must be held liable for security vulnerabilities if online safety is to be improved. "The problem is less a technology problem and more a business problem," Schneier said. "Right now the business climate doesnt reward network security."
Schneier suggested that the software industry would take security more seriously if the government enforced liability for faulty products. "The notion that a company can produce a product that is systemically flawed only holds true in software," he said. If software developers were held accountable, companies would purchase product liability insurance, which in turn would promote security standards, he added.
Top executives could also be encouraged to make network security a priority if the government implemented reporting requirements similar to those implemented in the Y2K climate. "The problem with good security is that it looks exactly the same as bad security. The better firewalls arent the market leaders," Schneier said. "We need to make it such that companies buy the better product."